Global crackdown dismantles Aisuru, KimWolf, JackSkid and Mossad botnets behind major DDoS attack campaigns targeting millions of devices worldwide.

DoJ disrupted IoT botnets’ C2 infrastructure with global partners, targeting operators behind AISURU, Kimwolf, JackSkid, and others.

The U.S. DoJ disrupted command-and-control infrastructure used by several IoT botnets, including AISURU, Kimwolf, JackSkid, and Mossad. The operation involved authorities from Canada and Germany, along with major tech companies, to target botnet operators and weaken their global cybercrime activities.

“The U.S. Justice Department participated in a court-authorized law enforcement operation today to disrupt Command and Control (C2) infrastructure used by the Aisuru, KimWolf, JackSkid and Mossad Internet of Things (IoT) botnets.” reads the press release published by DoJ.

“The operation was conducted simultaneously to law enforcement actions conducted in Canada and Germany, which targeted individuals who operated these botnets. The four botnets launched Distributed Denial of Service (DDoS) attacks targeting victims around the world. Some of these attacks measured approximately 30 Terabits per second, which were record-breaking attacks.”

U.S. authorities seized domains, servers, and infrastructure used in cybercrime, including DDoS attacks targeting Department of Defense systems. The disrupted botnets had infected over 3 million devices worldwide, mainly IoT like cameras and routers, often bypassing firewall protections. Operators used a “cybercrime-as-a-service” model, renting access to these hijacked devices to launch large-scale DDoS attacks globally.

Victims reported heavy losses from DDoS attacks, with criminals launching hundreds of thousands of attacks and sometimes demanding extortion payments. The Aisuru botnet was used to launch over 200,000 attack commands, JackSkid 90,000, KimWolf 25,000, and Mossad over 1,000. The joint international operation aims to disrupt these botnets, stop further infections, and prevent future attacks.

“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office. “This operation reflects the strength of that collaboration and our shared commitment to combatting cybercrime and protecting victims worldwide.”

The AISURU/Kimwolf botnet was linked to a record-breaking DDoS attack that peaked at 31.4 Tbps and lasted just 35 seconds. Cloudflare said the November 2025 incident was part of a surge in hyper-volumetric HTTP DDoS attacks observed in late 2025, all automatically detected and mitigated.

Acting as a DDoS-for-hire service, Aisuru avoids government and military targets, but broadband providers faced serious disruptions from attacks exceeding 1.5Tb/sec from infected customer devices.

Like other TurboMirai botnets, Aisuru incorporates additional dedicated DDoS attack capabilities and multi-use functions, enabling operators to carry out other illicit activities, including credential stuffing, artificial intelligence (AI)-driven web scraping, spamming, and phishing.

Attacks use UDP, TCP, and GRE floods with medium-sized packets and randomized ports/flags. Over 1Tb/sec traffic from compromised CPEs disrupts broadband, and 4gpps+ floods have caused router line card failures.

Kimwolf is a newly discovered Android botnet linked to the Aisuru botnet that has infected over 1.8 million devices and issued more than 1.7 billion DDoS attack commands, according to XLab.

The Kimwol Android botnet primarily targets TV boxes, compiled using the NDK and equipped with DDoS, proxy forwarding, reverse shell, and file management functions. It encrypts sensitive data with a simple Stack XOR, uses DNS over TLS to hide communication, and authenticates C2 commands with elliptic curve digital signatures. Recent versions even incorporate EtherHiding to resist takedowns via blockchain domains.

Kimwolf follows a naming pattern of “niggabox + v[number]”; versions v4 and v5 have been tracked. By taking over one C2 domain, researchers observed around 2.7 million IPs interacting over three days, indicating a likely infection scale exceeding 1.8 million devices. Its infrastructure spans multiple C2s, global time zones, and versions, making it hard to estimate the total number of infections.

The botnet borrows the code from the Aisuru family, however, operators redesigned it to evade detection. Its primary function is traffic proxying, though it can execute massive DDoS attacks, as seen in a three-day period issuing 1.7 billion commands between November 19 and 22.

In Q4 2025, the largest DDoS attacks mainly targeted Cloudflare customers in the Telecommunications, Service Providers, and Carriers sector, followed by Gaming and Generative AI services. Cloudflare’s own infrastructure was also attacked using HTTP floods, DNS attacks, and UDP floods. Globally, China, the United States, Germany, and Brazil remained among the most targeted countries, while Hong Kong and especially the United Kingdom saw sharp increases in attacks.

Most DDoS attacks in Q4 2025 originated from IPs linked to major cloud platforms like DigitalOcean, Microsoft, Tencent, Oracle, and Hetzner, mostly in the U.S. Telcos in Asia-Pacific also contributed. Attacks are global, using thousands of source networks. Cloudflare offers a free DDoS Botnet Threat Feed, with 800+ networks collaborating to identify and shut down abusive IPs.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, botnet)

The U.S. Justice Department joined authorities in Canada and Germany in dismantling the online infrastructure behind four highly disruptive botnets that compromised more than three million Internet of Things (IoT) devices, such as routers and web cameras. The feds say the four botnets — named Aisuru, Kimwolf, JackSkid and Mossad — are responsible for a series of recent record-smashing distributed denial-of-service (DDoS) attacks capable of knocking nearly any target offline.

The Justice Department said the Department of Defense Office of Inspector General’s (DoDIG) Defense Criminal Investigative Service (DCIS) executed seizure warrants targeting multiple U.S.-registered domains, virtual servers, and other infrastructure involved in DDoS attacks against Internet addresses owned by the DoD.

The government alleges the unnamed people in control of the four botnets used their crime machines to launch hundreds of thousands of DDoS attacks, often demanding extortion payments from victims. Some victims reported tens of thousands of dollars in losses and remediation expenses.

The oldest of the botnets — Aisuru — issued more than 200,000 attacks commands, while JackSkid hurled at least 90,000 attacks. Kimwolf issued more than 25,000 attack commands, the government said, while Mossad was blamed for roughy 1,000 digital sieges.

The DOJ said the law enforcement action was designed to prevent further infection to victim devices and to limit or eliminate the ability of the botnets to launch future attacks. The case is being investigated by the DCIS with help from the FBI’s field office in Anchorage, Alaska, and the DOJ’s statement credits nearly two dozen technology companies with assisting in the operation.

“By working closely with DCIS and our international law enforcement partners, we collectively identified and disrupted criminal infrastructure used to carry out large-scale DDoS attacks,” said Special Agent in Charge Rebecca Day of the FBI Anchorage Field Office.

Aisuru emerged in late 2024, and by mid-2025 it was launching record-breaking DDoS attacks as it rapidly infected new IoT devices. In October 2025, Aisuru was used to seed Kimwolf, an Aisuru variant which introduced a novel spreading mechanism that allowed the botnet to infect devices hidden behind the protection of the user’s internal network.

On January 2, 2026, the security firm Synthient publicly disclosed the vulnerability Kimwolf was using to propagate so quickly. That disclosure helped curtail Kimwolf’s spread somewhat, but since then several other IoT botnets have emerged that effectively copy Kimwolf’s spreading methods while competing for the same pool of vulnerable devices. According to the DOJ, the JackSkid botnet also sought out systems on internal networks just like Kimwolf.

The DOJ said its disruption of the four botnets coincided with “law enforcement actions” conducted in Canada and Germany targeting individuals who allegedly operated those botnets, although no further details were available on the suspected operators.

In late February, KrebsOnSecurity identified a 22-year-old Canadian man as a core operator of the Kimwolf botnet. Multiple sources familiar with the investigation told KrebsOnSecurity the other prime suspect is a 15-year-old living in Germany.